HTML file stored in CRX does not open in Browser, instead, it is getting downloaded | AEM


HTML file stored directly in the Oak repository does not open in the Browser. Instead, it is downloaded in 6.1 SP2 and later versions.


AEM 6.x


It is an intended change in AEM 6.2. Even for 6.1, the same change applies to Service Pack 2 and later patches. 

It was introduced as a part of Sling Security Fix. - Extend content disposition filter protection to jcr: data - Add Content Disposition Excluded Paths


Other customers reported it as a security issue. 

  1. They identified that malicious files can potentially be uploaded by using the functionality.
  2. Access the uploaded file through the URL mentioned above and verify that the file gets executed.


Engineering team fixed the issue and implemented this change and by default the file gets downloaded instead of opening up in the browser.

It comes through the following OSGI configuration: 


The checked box - Enable Content Disposition for all paths is causing this change in behavior, which is intended.

To revert to old behavior:

If one is OK to bear this security issue, one can clear the check box and the file gets directly opened in the browser instead of getting downloaded. Hence, meeting your requirements.